xloader | 73f3a87138fbde81c8fd0a9c86155f95959e048ab255aa910c3c92bef81c6552

Analysis

max time kernel
101s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe
Size

798KB
MD5

721d3421f9a2e8077117df38e86841fb
SHA1

37eeb6d7ac92f609b3828838f484ce4ed6b8fd38
SHA256

85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0
SHA512

5544a6b5ff7c7a71356ca4be24b18f6fe4d909b4090a041dbc9a0f8028196a2b1b30b1a9680702f65f659b3d50e4422513a468adf232f91c8451d4408c216608
SSDEEP

24576:ZbrlINJAclYSKU9rvGwfDLYgvFx5taMx+:ZXlINJNlYdelLxT5tb+

Score

10^/10

xloader heay discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

heay

Decoy

filosofgangen.com

clickb4shop.com

diesva.online

gcs-eu.com

gznk.net

connectmatchsupport.com

sunrisetillsunuptow.com

44.plus

hhhsccultum.quest

mindful.support

academyofpeerservices.net

acemilados.xyz

xn--belle-mre-63a.com

investigatoridaho.com

haimalvpai.com

mstlons.com

arxom.xyz

kcckurla.com

undeclined.info

3881a.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1048-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe
1048	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93
PID 4720 wrote to memory of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93
PID 4720 wrote to memory of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93
PID 4720 wrote to memory of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93
PID 4720 wrote to memory of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93
PID 4720 wrote to memory of 1048	4720	85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe	93

C:\Users\Admin\AppData\Local\Temp\85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe
"C:\Users\Admin\AppData\Local\Temp\85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe
  "C:\Users\Admin\AppData\Local\Temp\85d09cb470fac72a4baee36133c895a74f7e9adad0e7a16527cf6606705a66a0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-14-0x0000000001AA0000-0x0000000001DEA000-memory.dmp

Filesize
3.3MB

Download
memory/4720-6-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/4720-3-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/4720-4-0x0000000004C60000-0x0000000004C6E000-memory.dmp

Filesize
56KB

Download
memory/4720-5-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/4720-0-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/4720-7-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4720-8-0x00000000051A0000-0x000000000523C000-memory.dmp

Filesize
624KB

Download
memory/4720-9-0x0000000005540000-0x00000000055F0000-memory.dmp

Filesize
704KB

Download
memory/4720-10-0x0000000005600000-0x0000000005630000-memory.dmp

Filesize
192KB

Download
memory/4720-2-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4720-13-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4720-1-0x00000000001E0000-0x00000000002AE000-memory.dmp

Filesize
824KB

Download